Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp |
String found in binary or memory: http://101.99.94.119/WEALTH_PRUuqVZw139.bin |
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp |
String found in binary or memory: http://101.99.94.119/WEALTH_PRUuqVZw139.binwininet.dllMozilla/5.0 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F588C NtAllocateVirtualMemory, |
1_2_020F588C |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F03CA NtWriteVirtualMemory, |
1_2_020F03CA |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F8FC4 NtProtectVirtualMemory, |
1_2_020F8FC4 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F0BEF NtWriteVirtualMemory,TerminateProcess,LoadLibraryA, |
1_2_020F0BEF |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F93EC NtResumeThread, |
1_2_020F93EC |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F4C19 NtWriteVirtualMemory, |
1_2_020F4C19 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F7EA4 NtWriteVirtualMemory, |
1_2_020F7EA4 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F42C4 NtWriteVirtualMemory, |
1_2_020F42C4 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F58FA NtAllocateVirtualMemory, |
1_2_020F58FA |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F474F NtWriteVirtualMemory, |
1_2_020F474F |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F43A8 NtWriteVirtualMemory, |
1_2_020F43A8 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F61C5 NtWriteVirtualMemory, |
1_2_020F61C5 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F93FB NtResumeThread, |
1_2_020F93FB |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 13_2_00569B42 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, |
13_2_00569B42 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 13_2_00569C0E LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory, |
13_2_00569C0E |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 13_2_00569B3D TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, |
13_2_00569B3D |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_00404478 |
1_2_00404478 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_00404418 |
1_2_00404418 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_00404834 |
1_2_00404834 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_004036F0 |
1_2_004036F0 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_004034F4 |
1_2_004034F4 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_00403488 |
1_2_00403488 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_004046B4 |
1_2_004046B4 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_00404774 |
1_2_00404774 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_00404534 |
1_2_00404534 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_004045F4 |
1_2_004045F4 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_004035B2 |
1_2_004035B2 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_004043B8 |
1_2_004043B8 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F8680 |
1_2_020F8680 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F0567 |
1_2_020F0567 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F03CA |
1_2_020F03CA |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F0BEF |
1_2_020F0BEF |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F93EC |
1_2_020F93EC |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F4C19 |
1_2_020F4C19 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F424C |
1_2_020F424C |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F8A4B |
1_2_020F8A4B |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F3C48 |
1_2_020F3C48 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F0E55 |
1_2_020F0E55 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F8C67 |
1_2_020F8C67 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F9E67 |
1_2_020F9E67 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F1060 |
1_2_020F1060 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F0E7A |
1_2_020F0E7A |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F1070 |
1_2_020F1070 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F0C8E |
1_2_020F0C8E |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F808E |
1_2_020F808E |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F249F |
1_2_020F249F |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F2899 |
1_2_020F2899 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F7EA4 |
1_2_020F7EA4 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F56A3 |
1_2_020F56A3 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F2EA2 |
1_2_020F2EA2 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F14C6 |
1_2_020F14C6 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F42C4 |
1_2_020F42C4 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F20C0 |
1_2_020F20C0 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F7AD9 |
1_2_020F7AD9 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F10EB |
1_2_020F10EB |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F7EE6 |
1_2_020F7EE6 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F20FE |
1_2_020F20FE |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F2CF2 |
1_2_020F2CF2 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F3912 |
1_2_020F3912 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F5D10 |
1_2_020F5D10 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F7F34 |
1_2_020F7F34 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F474F |
1_2_020F474F |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F154C |
1_2_020F154C |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F5D5D |
1_2_020F5D5D |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F0B55 |
1_2_020F0B55 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F1D68 |
1_2_020F1D68 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F1D73 |
1_2_020F1D73 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F43A8 |
1_2_020F43A8 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F3FBC |
1_2_020F3FBC |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F61C5 |
1_2_020F61C5 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F37D8 |
1_2_020F37D8 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F0BD2 |
1_2_020F0BD2 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F77FF |
1_2_020F77FF |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F89FD |
1_2_020F89FD |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F93FB |
1_2_020F93FB |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F87FA |
1_2_020F87FA |
Source: LzbZ4T1iV8.exe, 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe |
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1721652241.000000001DD60000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamemswsock.dll.muij% vs LzbZ4T1iV8.exe |
Source: LzbZ4T1iV8.exe, 0000000D.00000000.861623499.0000000000417000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe |
Source: LzbZ4T1iV8.exe |
Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe |
Source: unknown |
Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe' |
|
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe' |
|
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe' |
Jump to behavior |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_004018D2 push fs; retf |
1_2_004018D4 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F662F push cs; iretd |
1_2_020F6630 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F003D push esp; iretd |
1_2_020F003E |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F00AA push esp; iretd |
1_2_020F00AB |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 13_2_0056A006 pushfd ; iretd |
13_2_0056A007 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 13_2_00569F30 pushfd ; retf |
13_2_00569F43 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F03CA NtWriteVirtualMemory, |
1_2_020F03CA |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F0BEF NtWriteVirtualMemory,TerminateProcess,LoadLibraryA, |
1_2_020F0BEF |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
RDTSC instruction interceptor: First address: 00000000020F7542 second address: 00000000020F7542 instructions: |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
RDTSC instruction interceptor: First address: 00000000020F0504 second address: 00000000020F0504 instructions: |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL |
Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp, LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=HTTP://101.99.94.119/WEALTH_PRUUQVZW139.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
RDTSC instruction interceptor: First address: 00000000020F74C3 second address: 00000000020F7542 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push D90E6CFBh 0x00000010 call 00007F7AFC9FAF32h 0x00000015 mov dword ptr [ebp+04h], eax 0x00000018 mov ebx, dword ptr [eax+3Ch] 0x0000001b add eax, ebx 0x0000001d mov ebx, dword ptr [eax+78h] 0x00000020 mov eax, dword ptr [ebp+04h] 0x00000023 add eax, ebx 0x00000025 mov ecx, dword ptr [eax+18h] 0x00000028 mov dword ptr [ebp+08h], ecx 0x0000002b mov ecx, dword ptr [eax+1Ch] 0x0000002e mov dword ptr [ebp+14h], ecx 0x00000031 mov ecx, dword ptr [eax+24h] 0x00000034 mov dword ptr [ebp+10h], ecx 0x00000037 mov esi, dword ptr [eax+20h] 0x0000003a add esi, dword ptr [ebp+04h] 0x0000003d xor ecx, ecx 0x0000003f mov edx, dword ptr [esi] 0x00000041 add edx, dword ptr [ebp+04h] 0x00000044 mov dword ptr [ebp+000001F3h], eax 0x0000004a test si, 2E1Ah 0x0000004f mov eax, ecx 0x00000051 push eax 0x00000052 mov eax, dword ptr [ebp+000001F3h] 0x00000058 mov dword ptr [ebp+000001C8h], ebx 0x0000005e mov ebx, esi 0x00000060 push ebx 0x00000061 pushad 0x00000062 rdtsc |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
RDTSC instruction interceptor: First address: 00000000020F7542 second address: 00000000020F7542 instructions: |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
RDTSC instruction interceptor: First address: 00000000020F734C second address: 00000000020F734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 inc edx 0x00000005 dec ecx 0x00000006 test ecx, ecx 0x00000008 jne 00007F7AFC9FAEFEh 0x0000000a mov al, byte ptr [edx] 0x0000000c mov byte ptr [ebx], al 0x0000000e pushad 0x0000000f mov ecx, 00000009h 0x00000014 rdtsc |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
RDTSC instruction interceptor: First address: 00000000020F8236 second address: 00000000020F8261 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub esi, 6F48A402h 0x00000011 cmp dword ptr [edi+14h], esi 0x00000014 mov esi, dword ptr [ebp+000001F0h] 0x0000001a je 00007F7AFC461375h 0x0000001c mov dword ptr [ebp+00000246h], eax 0x00000022 mov eax, 3E9A0B50h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
RDTSC instruction interceptor: First address: 00000000020F7D0C second address: 00000000020F7D0C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00B1C905h 0x00000007 xor eax, AE894D5Ah 0x0000000c xor eax, 9A90F0F9h 0x00000011 add eax, CB578B5Bh 0x00000016 cpuid 0x00000018 test ch, dh 0x0000001a popad 0x0000001b call 00007F7AFC9FAF1Bh 0x00000020 lfence 0x00000023 mov edx, 770EC33Bh 0x00000028 sub edx, 4238A07Dh 0x0000002e xor edx, 9CFEAEA4h 0x00000034 xor edx, D7D68C0Eh 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f jmp 00007F7AFC9FAFF9h 0x00000044 test ch, ah 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a add edi, edx 0x0000004c dec dword ptr [ebp+000000F8h] 0x00000052 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000059 jne 00007F7AFC9FAEFAh 0x0000005b cmp edx, eax 0x0000005d call 00007F7AFC9FAF5Ch 0x00000062 call 00007F7AFC9FAF3Eh 0x00000067 lfence 0x0000006a mov edx, 770EC33Bh 0x0000006f sub edx, 4238A07Dh 0x00000075 xor edx, 9CFEAEA4h 0x0000007b xor edx, D7D68C0Eh 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 jmp 00007F7AFC9FAFF9h 0x0000008b test ch, ah 0x0000008d ret 0x0000008e mov esi, edx 0x00000090 pushad 0x00000091 rdtsc |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
RDTSC instruction interceptor: First address: 00000000020F7E99 second address: 00000000020F7E99 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, FE410F8Bh 0x00000013 xor eax, 50497853h 0x00000018 xor eax, DF92CCE2h 0x0000001d add eax, 8E6544C7h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F7AFC461A6Eh 0x0000002e cmp edx, eax 0x00000030 popad 0x00000031 test esi, 5A8E86D2h 0x00000037 call 00007F7AFC461551h 0x0000003c lfence 0x0000003f rdtsc |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
RDTSC instruction interceptor: First address: 00000000020F0504 second address: 00000000020F0504 instructions: |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
RDTSC instruction interceptor: First address: 000000000056734C second address: 000000000056734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 inc edx 0x00000005 dec ecx 0x00000006 test ecx, ecx 0x00000008 jne 00007F7AFC46130Eh 0x0000000a mov al, byte ptr [edx] 0x0000000c mov byte ptr [ebx], al 0x0000000e pushad 0x0000000f mov ecx, 00000009h 0x00000014 rdtsc |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
RDTSC instruction interceptor: First address: 0000000000568236 second address: 0000000000568261 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub esi, 6F48A402h 0x00000011 cmp dword ptr [edi+14h], esi 0x00000014 mov esi, dword ptr [ebp+000001F0h] 0x0000001a je 00007F7AFC9FAF65h 0x0000001c mov dword ptr [ebp+00000246h], eax 0x00000022 mov eax, 3E9A0B50h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
RDTSC instruction interceptor: First address: 0000000000567D0C second address: 0000000000567D0C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00B1C905h 0x00000007 xor eax, AE894D5Ah 0x0000000c xor eax, 9A90F0F9h 0x00000011 add eax, CB578B5Bh 0x00000016 cpuid 0x00000018 test ch, dh 0x0000001a popad 0x0000001b call 00007F7AFC46132Bh 0x00000020 lfence 0x00000023 mov edx, 770EC33Bh 0x00000028 sub edx, 4238A07Dh 0x0000002e xor edx, 9CFEAEA4h 0x00000034 xor edx, D7D68C0Eh 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f jmp 00007F7AFC461409h 0x00000044 test ch, ah 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a add edi, edx 0x0000004c dec dword ptr [ebp+000000F8h] 0x00000052 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000059 jne 00007F7AFC46130Ah 0x0000005b cmp edx, eax 0x0000005d call 00007F7AFC46136Ch 0x00000062 call 00007F7AFC46134Eh 0x00000067 lfence 0x0000006a mov edx, 770EC33Bh 0x0000006f sub edx, 4238A07Dh 0x00000075 xor edx, 9CFEAEA4h 0x0000007b xor edx, D7D68C0Eh 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 jmp 00007F7AFC461409h 0x0000008b test ch, ah 0x0000008d ret 0x0000008e mov esi, edx 0x00000090 pushad 0x00000091 rdtsc |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
RDTSC instruction interceptor: First address: 0000000000567E99 second address: 0000000000567E99 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, FE410F8Bh 0x00000013 xor eax, 50497853h 0x00000018 xor eax, DF92CCE2h 0x0000001d add eax, 8E6544C7h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F7AFC9FB65Eh 0x0000002e cmp edx, eax 0x00000030 popad 0x00000031 test esi, 5A8E86D2h 0x00000037 call 00007F7AFC9FB141h 0x0000003c lfence 0x0000003f rdtsc |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
RDTSC instruction interceptor: First address: 0000000000562D9E second address: 000000000056734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push ebx 0x00000004 cmp bx, cx 0x00000007 mov ebx, dword ptr [ebp+000001E5h] 0x0000000d mov dword ptr [ebp+0000023Eh], edi 0x00000013 mov edi, ebx 0x00000015 push edi 0x00000016 mov edi, dword ptr [ebp+0000023Eh] 0x0000001c test cx, ax 0x0000001f mov dword ptr [ebp+00000277h], ecx 0x00000025 mov ecx, edi 0x00000027 push ecx 0x00000028 cmp bx, cx 0x0000002b mov ecx, dword ptr [ebp+00000277h] 0x00000031 call 00007F7AFC465881h 0x00000036 mov ecx, dword ptr [esp+0Ch] 0x0000003a mov edx, dword ptr [esp+08h] 0x0000003e mov ebx, dword ptr [esp+04h] 0x00000042 test ecx, ecx 0x00000044 je 00007F7AFC461338h 0x00000046 test eax, ecx 0x00000048 mov al, byte ptr [edx] 0x0000004a mov byte ptr [ebx], al 0x0000004c pushad 0x0000004d mov ecx, 00000009h 0x00000052 rdtsc |
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=http://101.99.94.119/WEALTH_PRUuqVZw139.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko |
Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll |
Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp, LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F8680 mov eax, dword ptr fs:[00000030h] |
1_2_020F8680 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F5461 mov eax, dword ptr fs:[00000030h] |
1_2_020F5461 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F78E2 mov eax, dword ptr fs:[00000030h] |
1_2_020F78E2 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F2CF2 mov eax, dword ptr fs:[00000030h] |
1_2_020F2CF2 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F735B mov eax, dword ptr fs:[00000030h] |
1_2_020F735B |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe |
Code function: 1_2_020F37D8 mov eax, dword ptr fs:[00000030h] |
1_2_020F37D8 |
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: logs.dat.13.dr |
Binary or memory string: [ Program Manager ] |
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |